registry  /  @alienplatform/cli  /  1.10.6

@alienplatform/cli@1.10.6

Alien Developer Platform CLI

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface in this package. The only active behavior is a user-invoked CLI shim that locates and runs a platform binary from an optional dependency or local vendor directory.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the alien CLI binary.
Impact
Runs the resolved Alien CLI binary with user arguments and inherited environment; no source evidence of exfiltration or install-time behavior in this package.
Mechanism
platform binary launcher shim
Rationale
Static inspection shows a conventional CLI wrapper with no lifecycle hooks, network behavior, credential collection, or file mutation. The child_process and env forwarding are package-aligned for launching the CLI binary and are only activated by explicit user execution.
Evidence
package.jsonbin/alien.js

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/alien.js spawns a platform-specific native binary and forwards argv/stdio/env at user invocation time.
  • package.json optionalDependencies point to platform-specific @alienplatform/cli binary packages not present in this package.
Evidence against
  • package.json has no lifecycle scripts; install/import does not execute package code.
  • bin/alien.js only resolves an optional dependency or local vendor path, then spawns it when the alien bin is run.
  • No network client code, credential harvesting, filesystem writes, persistence, or destructive commands found.
  • Scanner runtime install signal is only an error message suggesting reinstall, not an executed install command.
  • Package contains only package.json and bin/alien.js.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.19 KB of source

Source & flagged code

2 flagged · loading source
bin/alien.jsView file
2L3: import { spawn } from "node:child_process" L4: import { existsSync } from "node:fs"
High
Child Process

Package source references child process execution.

bin/alien.jsView on unpkg · L2
52console.error( L53: `Could not find alien binary for ${platformKey}.\nTry reinstalling: npm install -g @alienplatform/cli`, L54: ) ... L58: // Spawn the binary, forwarding all arguments and stdio L59: const child = spawn(binPath, process.argv.slice(2), { L60: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/alien.jsView on unpkg · L52

Findings

3 High1 Medium1 Low
HighChild Processbin/alien.js
HighShell
HighRuntime Package Installbin/alien.js
MediumEnvironment Vars
LowFilesystem